create-svc 0.1.9 → 0.1.11

package/templates/variants/go-connectrpc/internal/app/service.go

@@ -1,109 +1,318 @@
 package app
 
 import (
+	"bytes"
 	"context"
+	"database/sql"
+	"encoding/csv"
+	"encoding/json"
+	"errors"
 	"fmt"
-	"sync"
+	"net/mail"
+	"strings"
+	"time"
+
+	"github.com/jmoiron/sqlx"
 )
 
-type Record struct {
-	ID      string `json:"id"`
-	Type    string `json:"type"`
-	Name    string `json:"name"`
-	Content string `json:"content"`
-	TTL     int    `json:"ttl"`
-	Proxied bool   `json:"proxied"`
+type WaitlistEntry struct {
+	ID        string `json:"id" db:"id"`
+	Email     string `json:"email" db:"email"`
+	Name      string `json:"name,omitempty" db:"name"`
+	Company   string `json:"company,omitempty" db:"company"`
+	Source    string `json:"source,omitempty" db:"source"`
+	Status    string `json:"status" db:"status"`
+	CreatedAt string `json:"created_at" db:"created_at"`
+	UpdatedAt string `json:"updated_at" db:"updated_at"`
 }
 
-type CreateRecordInput struct {
-	Type    string `json:"type"`
+type WaitlistTrigger struct {
+	ID          string `json:"id" db:"id"`
+	Type        string `json:"type" db:"type"`
+	EntryID     string `json:"entry_id,omitempty" db:"entry_id"`
+	Status      string `json:"status" db:"status"`
+	Payload     any    `json:"payload"`
+	CreatedAt   string `json:"created_at" db:"created_at"`
+	ProcessedAt string `json:"processed_at,omitempty" db:"processed_at"`
+}
+
+type JoinWaitlistInput struct {
+	Email   string `json:"email"`
 	Name    string `json:"name"`
-	Content string `json:"content"`
-	TTL     int    `json:"ttl"`
-	Proxied bool   `json:"proxied"`
+	Company string `json:"company"`
+	Source  string `json:"source"`
+}
+
+type JoinWaitlistResult struct {
+	Entry   WaitlistEntry `json:"entry"`
+	Created bool          `json:"created"`
 }
 
-type UpdateRecordInput struct {
+type RecordTriggerInput struct {
 	Type    string `json:"type"`
-	Name    string `json:"name"`
-	Content string `json:"content"`
-	TTL     int    `json:"ttl"`
-	Proxied bool   `json:"proxied"`
+	EntryID string `json:"entry_id"`
+	Payload any    `json:"payload"`
+}
+
+type ListWaitlistEntriesInput struct {
+	Status string `json:"status"`
+	Limit  int    `json:"limit"`
 }
 
-type DNSService struct {
-	mu      sync.RWMutex
-	nextID  int
-	records map[string]Record
+type UpdateWaitlistEntryInput struct {
+	EntryID string `json:"entry_id"`
+	Status  string `json:"status"`
 }
 
-func NewDNSService() *DNSService {
-	return &DNSService{
-		nextID:  1,
-		records: map[string]Record{},
+type AppError struct {
+	Status int
+	Code   string
+	Err    error
+}
+
+func (e *AppError) Error() string { return e.Err.Error() }
+
+type WaitlistService struct {
+	db *sqlx.DB
+}
+
+func OpenDatabase(ctx context.Context, databaseURL string) (*sqlx.DB, error) {
+	if strings.TrimSpace(databaseURL) == "" {
+		return nil, errors.New("DATABASE_URL is required")
+	}
+	return sqlx.ConnectContext(ctx, "pgx", databaseURL)
+}
+
+func NewWaitlistService(db *sqlx.DB) *WaitlistService {
+	return &WaitlistService{db: db}
+}
+
+func (s *WaitlistService) JoinWaitlist(ctx context.Context, input JoinWaitlistInput) (JoinWaitlistResult, error) {
+	email, err := normalizeEmail(input.Email)
+	if err != nil {
+		return JoinWaitlistResult{}, err
+	}
+
+	existing, err := s.GetEntryByEmail(ctx, email)
+	if err == nil {
+		return JoinWaitlistResult{Entry: existing, Created: false}, nil
+	}
+	var appErr *AppError
+	if !errors.As(err, &appErr) || appErr.Code != "entry_not_found" {
+		return JoinWaitlistResult{}, err
+	}
+
+	id := fmt.Sprintf("entry_%d", time.Now().UnixNano())
+	var entry WaitlistEntry
+	err = s.db.GetContext(ctx, &entry, `
+insert into waitlist_entries (id, email, name, company, source, status)
+values ($1, $2, nullif($3, ''), nullif($4, ''), nullif($5, ''), 'joined')
+returning id, email, coalesce(name, '') as name, coalesce(company, '') as company, coalesce(source, '') as source, status, created_at::text, updated_at::text
+`, id, email, strings.TrimSpace(input.Name), strings.TrimSpace(input.Company), strings.TrimSpace(input.Source))
+	if err != nil {
+		return JoinWaitlistResult{}, err
 	}
+
+	if _, err := s.RecordTrigger(ctx, RecordTriggerInput{
+		Type:    "waitlist.joined",
+		EntryID: entry.ID,
+		Payload: map[string]any{"email": entry.Email, "source": entry.Source},
+	}); err != nil {
+		return JoinWaitlistResult{}, err
+	}
+
+	return JoinWaitlistResult{Entry: entry, Created: true}, nil
 }
 
-func (s *DNSService) ListRecords(ctx context.Context) ([]Record, error) {
-	_ = ctx
-	s.mu.RLock()
-	defer s.mu.RUnlock()
+func (s *WaitlistService) GetEntry(ctx context.Context, entryID string) (WaitlistEntry, error) {
+	var entry WaitlistEntry
+	err := s.db.GetContext(ctx, &entry, `
+select id, email, coalesce(name, '') as name, coalesce(company, '') as company, coalesce(source, '') as source, status, created_at::text, updated_at::text
+from waitlist_entries
+where id = $1`, strings.TrimSpace(entryID))
+	if err != nil {
+		return WaitlistEntry{}, notFoundIfNoRows(err, "entry_not_found", "waitlist entry not found")
+	}
+	return entry, nil
+}
 
-	out := make([]Record, 0, len(s.records))
-	for _, record := range s.records {
-		out = append(out, record)
+func (s *WaitlistService) GetEntryByEmail(ctx context.Context, rawEmail string) (WaitlistEntry, error) {
+	email, err := normalizeEmail(rawEmail)
+	if err != nil {
+		return WaitlistEntry{}, err
 	}
-	return out, nil
+	var entry WaitlistEntry
+	err = s.db.GetContext(ctx, &entry, `
+select id, email, coalesce(name, '') as name, coalesce(company, '') as company, coalesce(source, '') as source, status, created_at::text, updated_at::text
+from waitlist_entries
+where email = $1`, email)
+	if err != nil {
+		return WaitlistEntry{}, notFoundIfNoRows(err, "entry_not_found", "waitlist entry not found")
+	}
+	return entry, nil
 }
 
-func (s *DNSService) CreateRecord(ctx context.Context, input CreateRecordInput) (Record, error) {
-	_ = ctx
-	s.mu.Lock()
-	defer s.mu.Unlock()
+func (s *WaitlistService) ListEntries(ctx context.Context, input ListWaitlistEntriesInput) ([]WaitlistEntry, error) {
+	limit := clampLimit(input.Limit)
+	status := strings.TrimSpace(input.Status)
+	var entries []WaitlistEntry
+	var err error
+	if status != "" {
+		status, err = normalizeStatus(status)
+		if err != nil {
+			return nil, err
+		}
+		err = s.db.SelectContext(ctx, &entries, `
+select id, email, coalesce(name, '') as name, coalesce(company, '') as company, coalesce(source, '') as source, status, created_at::text, updated_at::text
+from waitlist_entries
+where status = $1
+order by created_at desc
+limit $2`, status, limit)
+	} else {
+		err = s.db.SelectContext(ctx, &entries, `
+select id, email, coalesce(name, '') as name, coalesce(company, '') as company, coalesce(source, '') as source, status, created_at::text, updated_at::text
+from waitlist_entries
+order by created_at desc
+limit $1`, limit)
+	}
+	if err != nil {
+		return nil, err
+	}
+	return entries, nil
+}
 
-	record := Record{
-		ID:      fmt.Sprintf("%d", s.nextID),
-		Type:    input.Type,
-		Name:    input.Name,
-		Content: input.Content,
-		TTL:     input.TTL,
-		Proxied: input.Proxied,
+func (s *WaitlistService) UpdateEntry(ctx context.Context, input UpdateWaitlistEntryInput) (WaitlistEntry, error) {
+	entryID := strings.TrimSpace(input.EntryID)
+	if entryID == "" {
+		return WaitlistEntry{}, &AppError{Status: 400, Code: "invalid_entry_id", Err: errors.New("entry id is required")}
+	}
+	status, err := normalizeStatus(input.Status)
+	if err != nil {
+		return WaitlistEntry{}, err
+	}
+	var entry WaitlistEntry
+	err = s.db.GetContext(ctx, &entry, `
+update waitlist_entries
+set status = $2, updated_at = now()
+where id = $1
+returning id, email, coalesce(name, '') as name, coalesce(company, '') as company, coalesce(source, '') as source, status, created_at::text, updated_at::text
+`, entryID, status)
+	if err != nil {
+		return WaitlistEntry{}, notFoundIfNoRows(err, "entry_not_found", "waitlist entry not found")
 	}
+	return entry, nil
+}
 
-	s.nextID += 1
-	s.records[record.ID] = record
-	return record, nil
+func (s *WaitlistService) ExportEntries(ctx context.Context, input ListWaitlistEntriesInput) (string, error) {
+	entries, err := s.ListEntries(ctx, input)
+	if err != nil {
+		return "", err
+	}
+	var buffer bytes.Buffer
+	writer := csv.NewWriter(&buffer)
+	_ = writer.Write([]string{"id", "email", "name", "company", "source", "status", "created_at", "updated_at"})
+	for _, entry := range entries {
+		_ = writer.Write([]string{entry.ID, entry.Email, entry.Name, entry.Company, entry.Source, entry.Status, entry.CreatedAt, entry.UpdatedAt})
+	}
+	writer.Flush()
+	return buffer.String(), writer.Error()
 }
 
-func (s *DNSService) UpdateRecord(ctx context.Context, id string, input UpdateRecordInput) (Record, error) {
-	_ = ctx
-	s.mu.Lock()
-	defer s.mu.Unlock()
+func (s *WaitlistService) RecordTrigger(ctx context.Context, input RecordTriggerInput) (WaitlistTrigger, error) {
+	triggerType := strings.TrimSpace(input.Type)
+	if triggerType == "" {
+		return WaitlistTrigger{}, &AppError{Status: 400, Code: "invalid_trigger_type", Err: errors.New("trigger type is required")}
+	}
 
-	record, ok := s.records[id]
-	if !ok {
-		return Record{}, fmt.Errorf("record %s not found", id)
+	entryID := strings.TrimSpace(input.EntryID)
+	if entryID != "" {
+		if _, err := s.GetEntry(ctx, entryID); err != nil {
+			return WaitlistTrigger{}, err
+		}
 	}
 
-	record.Type = input.Type
-	record.Name = input.Name
-	record.Content = input.Content
-	record.TTL = input.TTL
-	record.Proxied = input.Proxied
-	s.records[id] = record
+	payloadBytes, err := json.Marshal(input.Payload)
+	if err != nil {
+		return WaitlistTrigger{}, err
+	}
+	if string(payloadBytes) == "null" {
+		payloadBytes = []byte("{}")
+	}
 
-	return record, nil
+	id := fmt.Sprintf("trg_%d", time.Now().UnixNano())
+	var row waitlistTriggerRow
+	err = s.db.GetContext(ctx, &row, `
+insert into waitlist_triggers (id, type, entry_id, status, payload_json)
+values ($1, $2, nullif($3, ''), 'queued', $4)
+returning id, type, coalesce(entry_id, '') as entry_id, status, payload_json, created_at::text, coalesce(processed_at::text, '') as processed_at
+`, id, triggerType, entryID, string(payloadBytes))
+	if err != nil {
+		return WaitlistTrigger{}, err
+	}
+	return row.toTrigger()
 }
 
-func (s *DNSService) DeleteRecord(ctx context.Context, id string) error {
-	_ = ctx
-	s.mu.Lock()
-	defer s.mu.Unlock()
+type waitlistTriggerRow struct {
+	ID          string `db:"id"`
+	Type        string `db:"type"`
+	EntryID     string `db:"entry_id"`
+	Status      string `db:"status"`
+	PayloadJSON string `db:"payload_json"`
+	CreatedAt   string `db:"created_at"`
+	ProcessedAt string `db:"processed_at"`
+}
+
+func (r waitlistTriggerRow) toTrigger() (WaitlistTrigger, error) {
+	var payload any
+	if err := json.Unmarshal([]byte(r.PayloadJSON), &payload); err != nil {
+		return WaitlistTrigger{}, err
+	}
+	return WaitlistTrigger{
+		ID:          r.ID,
+		Type:        r.Type,
+		EntryID:     r.EntryID,
+		Status:      r.Status,
+		Payload:     payload,
+		CreatedAt:   r.CreatedAt,
+		ProcessedAt: r.ProcessedAt,
+	}, nil
+}
+
+func normalizeEmail(value string) (string, error) {
+	email := strings.ToLower(strings.TrimSpace(value))
+	if email == "" {
+		return "", &AppError{Status: 400, Code: "invalid_email", Err: errors.New("valid email is required")}
+	}
+	parsed, err := mail.ParseAddress(email)
+	if err != nil || parsed.Address != email {
+		return "", &AppError{Status: 400, Code: "invalid_email", Err: errors.New("valid email is required")}
+	}
+	return email, nil
+}
 
-	if _, ok := s.records[id]; !ok {
-		return fmt.Errorf("record %s not found", id)
+func normalizeStatus(value string) (string, error) {
+	status := strings.ToLower(strings.TrimSpace(value))
+	switch status {
+	case "joined", "invited", "converted", "archived":
+		return status, nil
+	default:
+		return "", &AppError{Status: 400, Code: "invalid_status", Err: errors.New("status must be one of joined, invited, converted, archived")}
 	}
+}
 
-	delete(s.records, id)
-	return nil
+func clampLimit(value int) int {
+	if value <= 0 {
+		return 100
+	}
+	if value > 500 {
+		return 500
+	}
+	return value
+}
+
+func notFoundIfNoRows(err error, code string, message string) error {
+	if errors.Is(err, sql.ErrNoRows) {
+		return &AppError{Status: 404, Code: code, Err: errors.New(message)}
+	}
+	return err
 }

package/templates/variants/go-connectrpc/internal/auth/middleware.go

@@ -0,0 +1,289 @@
+package auth
+
+import (
+	"context"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
+	"crypto/rsa"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"math/big"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+)
+
+type Config struct {
+	Enabled  bool
+	Issuer   string
+	Audience string
+	JWKSURL  string
+}
+
+type jwksCache struct {
+	mu        sync.Mutex
+	expiresAt time.Time
+	keys      []jwk
+}
+
+type jwtHeader struct {
+	Alg string `json:"alg"`
+	Kid string `json:"kid"`
+}
+
+type jwtClaims struct {
+	Issuer    string          `json:"iss"`
+	Audience  json.RawMessage `json:"aud"`
+	ExpiresAt int64           `json:"exp"`
+	NotBefore int64           `json:"nbf"`
+}
+
+type jwksDocument struct {
+	Keys []jwk `json:"keys"`
+}
+
+type jwk struct {
+	Kty string `json:"kty"`
+	Kid string `json:"kid"`
+	Alg string `json:"alg"`
+	N   string `json:"n"`
+	E   string `json:"e"`
+	Crv string `json:"crv"`
+	X   string `json:"x"`
+	Y   string `json:"y"`
+}
+
+func Middleware(cfg Config) func(http.Handler) http.Handler {
+	cache := &jwksCache{}
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, request *http.Request) {
+			if !cfg.Enabled || publicPath(request) {
+				next.ServeHTTP(w, request)
+				return
+			}
+			token := bearerToken(request.Header.Get("Authorization"))
+			if token == "" || verifyToken(request.Context(), token, cfg, cache) != nil {
+				writeUnauthorized(w)
+				return
+			}
+			next.ServeHTTP(w, request)
+		})
+	}
+}
+
+func publicPath(request *http.Request) bool {
+	path := request.URL.Path
+	return path == "/" || path == "/healthz" || path == "/readyz" || strings.HasPrefix(path, "/webhooks/")
+}
+
+func verifyToken(ctx context.Context, token string, cfg Config, cache *jwksCache) error {
+	if cfg.Issuer == "" || cfg.Audience == "" || cfg.JWKSURL == "" {
+		return errors.New("auth config is incomplete")
+	}
+	parts := strings.Split(token, ".")
+	if len(parts) != 3 {
+		return errors.New("token must have three parts")
+	}
+
+	var header jwtHeader
+	if err := decodeJSON(parts[0], &header); err != nil {
+		return err
+	}
+	var claims jwtClaims
+	if err := decodeJSON(parts[1], &claims); err != nil {
+		return err
+	}
+	key, err := cache.key(ctx, cfg.JWKSURL, header.Kid)
+	if err != nil {
+		return err
+	}
+	if err := verifySignature(header.Alg, key, []byte(parts[0]+"."+parts[1]), parts[2]); err != nil {
+		return err
+	}
+	return validateClaims(claims, cfg)
+}
+
+func (cache *jwksCache) key(ctx context.Context, jwksURL string, kid string) (jwk, error) {
+	cache.mu.Lock()
+	defer cache.mu.Unlock()
+
+	if time.Now().After(cache.expiresAt) {
+		request, err := http.NewRequestWithContext(ctx, http.MethodGet, jwksURL, nil)
+		if err != nil {
+			return jwk{}, err
+		}
+		response, err := http.DefaultClient.Do(request)
+		if err != nil {
+			return jwk{}, err
+		}
+		defer response.Body.Close()
+		if response.StatusCode < 200 || response.StatusCode >= 300 {
+			return jwk{}, errors.New("jwks fetch failed")
+		}
+		var document jwksDocument
+		if err := json.NewDecoder(response.Body).Decode(&document); err != nil {
+			return jwk{}, err
+		}
+		cache.keys = document.Keys
+		cache.expiresAt = time.Now().Add(5 * time.Minute)
+	}
+
+	if kid == "" && len(cache.keys) == 1 {
+		return cache.keys[0], nil
+	}
+	for _, key := range cache.keys {
+		if key.Kid == kid {
+			return key, nil
+		}
+	}
+	return jwk{}, errors.New("jwk not found")
+}
+
+func verifySignature(alg string, key jwk, signingInput []byte, encodedSignature string) error {
+	signature, err := base64.RawURLEncoding.DecodeString(encodedSignature)
+	if err != nil {
+		return err
+	}
+	digest := sha256.Sum256(signingInput)
+	switch alg {
+	case "RS256":
+		publicKey, err := rsaPublicKey(key)
+		if err != nil {
+			return err
+		}
+		return rsa.VerifyPKCS1v15(publicKey, crypto.SHA256, digest[:], signature)
+	case "ES256":
+		publicKey, err := ecdsaPublicKey(key)
+		if err != nil {
+			return err
+		}
+		if len(signature) != 64 {
+			return errors.New("invalid ES256 signature")
+		}
+		r := new(big.Int).SetBytes(signature[:32])
+		s := new(big.Int).SetBytes(signature[32:])
+		if !ecdsa.Verify(publicKey, digest[:], r, s) {
+			return errors.New("invalid ES256 signature")
+		}
+		return nil
+	case "EdDSA":
+		publicKey, err := ed25519PublicKey(key)
+		if err != nil {
+			return err
+		}
+		if !ed25519.Verify(publicKey, signingInput, signature) {
+			return errors.New("invalid EdDSA signature")
+		}
+		return nil
+	default:
+		return errors.New("unsupported jwt alg")
+	}
+}
+
+func rsaPublicKey(key jwk) (*rsa.PublicKey, error) {
+	n, err := base64.RawURLEncoding.DecodeString(key.N)
+	if err != nil {
+		return nil, err
+	}
+	eBytes, err := base64.RawURLEncoding.DecodeString(key.E)
+	if err != nil {
+		return nil, err
+	}
+	e := 0
+	for _, b := range eBytes {
+		e = e<<8 + int(b)
+	}
+	return &rsa.PublicKey{N: new(big.Int).SetBytes(n), E: e}, nil
+}
+
+func ecdsaPublicKey(key jwk) (*ecdsa.PublicKey, error) {
+	if key.Crv != "P-256" {
+		return nil, errors.New("unsupported ecdsa curve")
+	}
+	x, err := base64.RawURLEncoding.DecodeString(key.X)
+	if err != nil {
+		return nil, err
+	}
+	y, err := base64.RawURLEncoding.DecodeString(key.Y)
+	if err != nil {
+		return nil, err
+	}
+	return &ecdsa.PublicKey{Curve: elliptic.P256(), X: new(big.Int).SetBytes(x), Y: new(big.Int).SetBytes(y)}, nil
+}
+
+func ed25519PublicKey(key jwk) (ed25519.PublicKey, error) {
+	if key.Crv != "Ed25519" {
+		return nil, errors.New("unsupported eddsa curve")
+	}
+	x, err := base64.RawURLEncoding.DecodeString(key.X)
+	if err != nil {
+		return nil, err
+	}
+	if len(x) != ed25519.PublicKeySize {
+		return nil, errors.New("invalid Ed25519 public key")
+	}
+	return ed25519.PublicKey(x), nil
+}
+
+func validateClaims(claims jwtClaims, cfg Config) error {
+	now := time.Now().Unix()
+	if claims.Issuer != cfg.Issuer {
+		return errors.New("issuer mismatch")
+	}
+	if !audienceMatches(claims.Audience, cfg.Audience) {
+		return errors.New("audience mismatch")
+	}
+	if claims.ExpiresAt == 0 || claims.ExpiresAt <= now-30 {
+		return errors.New("token expired")
+	}
+	if claims.NotBefore != 0 && claims.NotBefore > now+30 {
+		return errors.New("token not active")
+	}
+	return nil
+}
+
+func audienceMatches(raw json.RawMessage, expected string) bool {
+	var single string
+	if err := json.Unmarshal(raw, &single); err == nil {
+		return single == expected
+	}
+	var many []string
+	if err := json.Unmarshal(raw, &many); err == nil {
+		for _, audience := range many {
+			if audience == expected {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func decodeJSON(encoded string, out any) error {
+	payload, err := base64.RawURLEncoding.DecodeString(encoded)
+	if err != nil {
+		return err
+	}
+	return json.Unmarshal(payload, out)
+}
+
+func bearerToken(value string) string {
+	fields := strings.Fields(value)
+	if len(fields) != 2 || !strings.EqualFold(fields[0], "Bearer") {
+		return ""
+	}
+	return fields[1]
+}
+
+func writeUnauthorized(w http.ResponseWriter) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusUnauthorized)
+	_ = json.NewEncoder(w).Encode(map[string]string{
+		"error": "invalid bearer token",
+		"code":  "unauthorized",
+	})
+}